Add a new class

Add a new class

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

Hi,

I think this is something I could find in the docs or code, but I don't 
see it. 

How do I add a new class?  There are a variety of files in 
security/selinux/include, such as av_permissions.h, that are 
"automatically generated", but they are already in the distribution, so it 
is not clear how they are generated.  If I add a class, operations, etc., 
these files have to be modified and I would rather do it the proper way.

BTW -- this is for adding IPSec security associations for classes, so we 
can label network connections.  Prototype code should be available soon.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225

[-- Attachment #2: Type: text/html, Size: 1129 bytes --]

Re: Add a new class

[Luke Kenneth Casson Leighton]

hi trent,

as i understand it, it depends on what kind of operation you intend to
add.

for example if it's a new filesystem type, you don't _need_ to add a new
class: selinux is smart enough to pick up the name from the vfs
(superblock?) name, e.g. "fuse" or "proc" and you can add an association
from there.

... but if you're _genuinely_ adding something new such as, oh
i dunno, optimised kernel-level support for Wine win32 calls
where you need to support oh i dunno mmmm the concept of a
NT named pipe because you've written a special authenticated
pipe which can support NT security descriptors, then yes you
would need to add a class...

... along with the corresponding support in the kernel _for_
that type, inside the selinux kernel.

basically it boils down to this:

do you _really_ need to extend the types of operations which selinux can
"vet"

such as oh i dunno:

	"allow openssl_exec_t port_t { add_rsa_key_to_connection }
								   ^^^^^^^^^^^^^^^^^^^^^^^^^

because if so, then the vetting can only be done in the linux kernel,
therefore you have no alternative but to add new stuff (like with the
recent x.org classes) into the selinux security module.

l.

On Mon, Oct 04, 2004 at 06:11:43PM -0400, Trent Jaeger wrote:
> Hi,
> 
> I think this is something I could find in the docs or code, but I don't 
> see it. 
> 
> How do I add a new class?  There are a variety of files in 
> security/selinux/include, such as av_permissions.h, that are 
> "automatically generated", but they are already in the distribution, so it 
> is not clear how they are generated.  If I add a class, operations, etc., 
> these files have to be modified and I would rather do it the proper way.
> 
> BTW -- this is for adding IPSec security associations for classes, so we 
> can label network connections.  Prototype code should be available soon.
> 
> Regards,
> Trent.
> ------------------------------------------------------------
> Trent Jaeger
> IBM T.J. Watson Research Center
> 19 Skyline Drive, Hawthorne, NY 10532
> (914) 784-7225, FAX (914) 784-7225
-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Joshua Brindle]

Check the files in policy/flask

specifically you must add the class to security_classes and the 
permissions to access_vectors and then rebuild the headers with the 
Makefile in the flask directory and put them in 
linux/security/selinux/include/

then reboot on the new kernel and build a policy with the new classes 
and access vectors, it should be fairly straightforward and no problems 
should occur.

Joshua Brindle

Trent Jaeger wrote:

>
> Hi,
>
> I think this is something I could find in the docs or code, but I 
> don't see it.  
>
> How do I add a new class?  There are a variety of files in 
> security/selinux/include, such as av_permissions.h, that are 
> "automatically generated", but they are already in the distribution, 
> so it is not clear how they are generated.  If I add a class, 
> operations, etc., these files have to be modified and I would rather 
> do it the proper way.
>
> BTW -- this is for adding IPSec security associations for classes, so 
> we can label network connections.  Prototype code should be available 
> soon.
>
> Regards,
> Trent.
> ------------------------------------------------------------
> Trent Jaeger
> IBM T.J. Watson Research Center
> 19 Skyline Drive, Hawthorne, NY 10532
> (914) 784-7225, FAX (914) 784-7225 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Stephen Smalley]

On Mon, 2004-10-04 at 20:40, Joshua Brindle wrote:
> Check the files in policy/flask
> 
> specifically you must add the class to security_classes and the 
> permissions to access_vectors and then rebuild the headers with the 
> Makefile in the flask directory and put them in 
> linux/security/selinux/include/
> 
> then reboot on the new kernel and build a policy with the new classes 
> and access vectors, it should be fairly straightforward and no problems 
> should occur.

Note that if you are acting on a policy directory in a selinux-usr tree
and have a linux-2.6 tree at the same level as your selinux-usr tree,
then you can also do 'make all tokern tolib' in policy/flask to build
and push the regenerated headers to the linux-2.6 tree and libselinux
tree.  You can also override LIBSEL and LINUXDIR definitions if they
have different locations.

I should also note that as a result of patches from Ulrich Drepper, the
generated headers have changed, as has the code that uses them, but this
change is only in the CVS tree (sourceforge and our internal tree); we
have not yet pushed the change upstream as no actual kernel definitions
have changed yet.

Please be sure to submit the patch to the policy/flask files to the list
ASAP to reserve the classes so that their values won't be re-used for
another class.  No need to submit a patch for the regenerated headers;
we will rebuild those ourselves when merging the patch for the
policy/flask files.

I don't think it is necessary to boot the new kernel before building the
updated policy, as you can always load a policy with additional classes
and permissions even if the existing kernel doesn't use them; you only
have a problem if you try to change or remove an existing class or
permission (and the kernel will refuse to load such a policy anyway). 
In fact, it is likely not safe to boot the new kernel without first
building and installing the new policy, because the new kernel may try
to use the new classes and permissions before they are defined in the
policy (which would result in denials).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Park Lee]

On 2004-10-05 at 12:32, Stephen Smalley wrote:
> On Mon, 2004-10-04 at 20:40, Joshua Brindle wrote:
> >
> > Check the files in policy/flask
> >
> > specifically you must add the class to 
> > security_classes and the permissions to 
> > access_vectors and then rebuild the headers with 
> > the Makefile in the flask directory and put them 
> > in linux/security/selinux/include/
> >
> > then reboot on the new kernel and build a policy 
> > with the new classes and access vectors, it 
> > should be fairly straightforward and no problems 
> > should occur.
>
> Note that if you are acting on a policy directory 
> in a selinux-usr tree and have a linux-2.6 tree at 
> the same level as your selinux-usr tree, then you 
> can also do 'make all tokern tolib' in policy/flask 
> to build and push the regenerated headers to the 
> linux-2.6 tree and libselinux tree.  You can also 
> override LIBSEL and LINUXDIR definitions if they
> have different locations.

Now, I'm using FC2. 
I've added a new class to security_classes and the
permissions to access_vectors (In
/etc/security/selinux/src/policy/flask), after that,
rebuilt the headers with the Makefile in the flask
directory and put them in
/usr/src/linux-2.6.5-1.358/security/selinux/include as
Joshua Brindle have mentioned. 

What confused me here is that: MUST we also copy the
headers to libselinux/include/selinux directory, and
regenerate a new libselinux.so for the new class and
its permissions? can we ignore this step?

And, Is there still any other matter that we should
pay attention to, when we add a new class?


Thank you very much.



=====
Best Regards,
Park Lee


		
__________________________________ 
Do you Yahoo!? 
Send a seasonal email greeting and help others. Do good. 
http://celebrity.mail.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Stephen Smalley]

On Sun, 2005-01-02 at 02:17, Park Lee wrote:
> Now, I'm using FC2. 

FC3 is strongly recommended over FC2 for SELinux users.

> I've added a new class to security_classes and the
> permissions to access_vectors (In
> /etc/security/selinux/src/policy/flask), after that,
> rebuilt the headers with the Makefile in the flask
> directory and put them in
> /usr/src/linux-2.6.5-1.358/security/selinux/include as
> Joshua Brindle have mentioned.

When adding new classes, you should typically work off of our
sourceforge CVS tree, as that will have the latest definitions.
Or at the very least, you should work off of the latest kernel, i.e.
2.6.10 + 2.6.10-mm1 from kernel.org.  Note that until you submit a patch
reserving your classes to us and until we accept such a patch into our
tree, the class value may be re-used at any time for some other purpose,
forcing you to re-base, much like adding a new syscall to the kernel. 
We have already reserved a new class and permissions for Trent Jaeger's
IPSEC work, as you can see in our sourceforge CVS tree.

> What confused me here is that: MUST we also copy the
> headers to libselinux/include/selinux directory, and
> regenerate a new libselinux.so for the new class and
> its permissions? can we ignore this step?

It isn't required unless some application needs to reference the new
class, but we do update them when we merge new classes into our tree to
keep them in sync.  In the long term, it is expected that there will be
a separate mechanism for userspace object managers to dynamically
register security classes and permissions for their own use, e.g. see
the SELinux Policy Server project by Tresys.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Park Lee]

On 2004-10-05 at 12:32, Stephen Smalley wrote:
> On Mon, 2004-10-04 at 20:40, Joshua Brindle wrote:
> > Check the files in policy/flask 
> > 
> > specifically you must add the class to 
> > security_classes and the permissions to 
> > access_vectors and then rebuild the headers with 
> > the Makefile in the flask directory and put them 
> > in linux/security/selinux/include/
> > 
> > then reboot on the new kernel and build a policy 
> > with the new classes and access vectors, it 
> > should be fairly straightforward and no problems 
> > should occur.
> 
> I don't think it is necessary to boot the new 
> kernel before building the updated policy, as you 
> can always load a policy with additional classes
> and permissions even if the existing kernel doesn't 
> use them; you only have a problem if you try to 
> change or remove an existing class or permission 
> (and the kernel will refuse to load such a policy 
> anyway). In fact, it is likely not safe to boot the 
> new kernel without first building and installing 
> the new policy, because the new kernel may try
> to use the new classes and permissions before they 
> are defined in the policy (which would result in 
> denials).

Now, I'm using FC2. I try to add a new class ( also
just for learing ).
I've added a new class to security_classes and the
permissions to access_vectors (In
/etc/security/selinux/src/policy/flask), after that,
rebuilt the headers with the Makefile in the flask
directory and put them in
/usr/src/linux-2.6.5-1.358/security/selinux/include as
Joshua Brindle have mentioned. and then rebooted on
the new kernel.
After I rebooted on the new kernel, I went into
/etc/security/selinux/src/policy, and ran 'make load'.
But this time, the security_load_policy failed!
The following is what appeared on my screen:

[root@lenovo policy]# make load
mkdir -p tmp
 [... snipped ...] 
mkdir -p /etc/security/selinux
/usr/bin/checkpolicy -o
/etc/security/selinux/policy.17 policy.conf
/usr/bin/checkpolicy:  loading policy configuration
from policy.conf
security:  5 users, 7 roles, 1244 types, 1 bools
security:  31 classes, 303377 rules
 [... snipped ...]
/usr/bin/checkpolicy:  writing binary representation
(version 15) to /etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
/usr/bin/checkpolicy -c 16 -o
/etc/security/selinux/policy.16 policy.conf
/usr/bin/checkpolicy:  loading policy configuration
from policy.conf
security:  5 users, 7 roles, 1244 types, 1 bools
security:  31 classes, 303377 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation
(version 16) to /etc/security/selinux/policy.16
/usr/sbin/load_policy
/etc/security/selinux/policy.`cat /selinux/policyvers`
/usr/sbin/load_policy:  security_load_policy failed
make: *** [tmp/load] Error 3


Then, Is there something wrong? Would you please tell
me what's the matter with 'make load'?

Thank you. 




=====
Best Regards,
Park Lee

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Add a new class

[Stephen Smalley]

On Wed, 2005-01-12 at 14:40, Park Lee wrote:
> Now, I'm using FC2. I try to add a new class ( also
> just for learing ).
> I've added a new class to security_classes and the
> permissions to access_vectors (In
> /etc/security/selinux/src/policy/flask), after that,
> rebuilt the headers with the Makefile in the flask
> directory and put them in
> /usr/src/linux-2.6.5-1.358/security/selinux/include as
> Joshua Brindle have mentioned. and then rebooted on
> the new kernel.
> After I rebooted on the new kernel, I went into
> /etc/security/selinux/src/policy, and ran 'make load'.
> But this time, the security_load_policy failed!
> The following is what appeared on my screen:

What messages did you get in /var/log/messages or dmesg output upon the
load?

Did you add the new class to the end of the current set of classes? 
Otherwise, it will perturb the values of the existing classes and the
kernel will refuse to load it after the initial policy load.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.