idea: setfiles to exclude specific type

idea: setfiles to exclude specific type

[Yuichi Nakamura]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

Hello.

I add setfiles "-x" option.
I attach my idea in "setfiles.diff".

-x option is used to exclude specified type.

For example,
# setfiles file_contexts /home -x httpd_user_rw_t
setfiles skips relabeling files that have "httpd_user_rw_t".

The reason why this option is necessary is following.
I heard that fixfiles.cron is removed, because unwanted alerts are displayed.
In some case, types must be preserved.
http://www.redhat.com/archives/fedora-selinux-list/2004-November/msg00061.html

But I think fixfiles.cron is useful, and hope it is included again.
Because integrity of label is critical for SELinux.

I think to suppress unwanted alerts, 
it is necessary to add new option in setfiles and modify fixfiles.

Does it sound reasonable?

---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/

[-- Attachment #2: setfiles.diff --]
[-- Type: application/octet-stream, Size: 2871 bytes --]

--- setfiles.c.orig	2004-11-19 15:40:07.000000000 -0500
+++ setfiles.c	2004-11-19 16:22:19.444466440 -0500
@@ -4,7 +4,7 @@
  * AUTHOR:  Stephen Smalley <sds@epoch.ncsc.mil>
  * This program was derived in part from the setfiles.pl script
  * developed by Secure Computing Corporation.
- *
+ * -x option: Yuichi Nakamura <ynakam@selinux.gr.jp>
  * PURPOSE:
  * This program reads a set of file security context specifications
  * based on pathname regular expressions and labels files
@@ -25,6 +25,7 @@
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
  * -o filename write out file names with wrong context.
+ * -x   Specify type to exclude
  *
  * spec_file	The specification file.
  * pathname...	The file systems to label (omit if using -s).	
@@ -81,10 +82,12 @@
 static int excludeCtr=0;
 struct edir {
 	char *directory;
+	char *type;
         int size;
 };
 static struct edir excludeArray[MAX_EXCLUDES];
 
+
 /*
  * Command-line options.
  */
@@ -153,12 +156,35 @@
 	return tmp - buf;
 }
 
+int checktype(const char *file, char *type, int size){
+	security_context_t con;
+	char *c;
+	int ret;
+
+	ret = getfilecon(file, &con);
+	if(ret == -1){
+		return 0;
+	}
+	c = strrchr(con,':');
+	c++;
+	if(strcmp(c,type) ==0 ){
+		return 1;
+	}
+	return 0;
+}
+
 static int exclude(const char *file) {
 	int i=0;
-	for(i=0; i < excludeCtr; i++) { 
-		if (strncmp(file,excludeArray[i].directory,excludeArray[i].size)==0) {
-			if (file[excludeArray[i].size]==0 || 
-			    file[excludeArray[i].size]=='/') {
+	for(i=0; i < excludeCtr; i++) {
+		if(excludeArray[i].type == NULL){
+			if (strncmp(file,excludeArray[i].directory,excludeArray[i].size)==0) {
+				if (file[excludeArray[i].size]==0 || 
+				    file[excludeArray[i].size]=='/') {
+					return 1;
+				}
+			}
+		}else{
+			if( checktype(file,excludeArray[i].type,excludeArray[i].size) == 1){
 				return 1;
 			}
 		}
@@ -775,7 +801,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:x:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -818,6 +844,7 @@
 			}
 			len=strlen(optarg);
 			excludeArray[excludeCtr].directory = strdup(optarg);
+			excludeArray[excludeCtr].type = NULL;
 			if (!excludeArray[excludeCtr].directory) {
 				fprintf(stderr, "Out of memory.\n");
 				exit(1);
@@ -830,7 +857,21 @@
 			}
 			break;
 		}
-			
+		case 'x':
+		{
+			int len;
+			len=strlen(optarg);
+			excludeArray[excludeCtr].type = strdup(optarg);
+			excludeArray[excludeCtr].directory = NULL;
+			excludeArray[excludeCtr++].size = len;
+			if (excludeCtr > MAX_EXCLUDES) {
+				fprintf(stderr, "Maximum excludes %d exceeded.\n", 
+					MAX_EXCLUDES);
+				exit(1);
+			}
+			break;
+		}
+	
 		case 'd':
 			debug = 1;
 			break;

Re: idea: setfiles to exclude specific type

[Daniel J Walsh]

Yuichi Nakamura wrote:

>Hello.
>
>I add setfiles "-x" option.
>I attach my idea in "setfiles.diff".
>
>-x option is used to exclude specified type.
>
>For example,
># setfiles file_contexts /home -x httpd_user_rw_t
>setfiles skips relabeling files that have "httpd_user_rw_t".
>
>The reason why this option is necessary is following.
>I heard that fixfiles.cron is removed, because unwanted alerts are displayed.
>In some case, types must be preserved.
>http://www.redhat.com/archives/fedora-selinux-list/2004-November/msg00061.html
>
>But I think fixfiles.cron is useful, and hope it is included again.
>Because integrity of label is critical for SELinux.
>
>I think to suppress unwanted alerts, 
>it is necessary to add new option in setfiles and modify fixfiles.
>
>Does it sound reasonable?
>
>---
>Yuichi Nakamura
>Japan SELinux Users Group(JSELUG)
>http://www.selinux.gr.jp/
>  
>
Is there any way we could get a list of "variable policy" from the 
loaded context?  Or should we write a file with this in it.

IE,  It would be nice to create an attribute (save_context???)  That we 
could assign to a file context, and have setfiles/restorcon ignore if a 
file is se to this context?    So httpd_???_context_rw_t, gpg_t, 
ssh_key_t, user_tmp_t and others could be ignored if setfiles comes upon 
them on a relabel or check?

I guess we could populate a context file via a grep during policy build.

Ideas?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: idea: setfiles to exclude specific type

[Yuichi Nakamura]

Daniel J Walsh wrote:
> Is there any way we could get a list of "variable policy" from the 
> loaded context?  Or should we write a file with this in it.
Yes, I think we have to prepare file where list is described.
fixfiles will read the file and pass the list to setfiles.

> IE,  It would be nice to create an attribute (save_context???)  That we 
> could assign to a file context, and have setfiles/restorcon ignore if a 
> file is se to this context?    So httpd_???_context_rw_t, gpg_t, 
> ssh_key_t, user_tmp_t and others could be ignored if setfiles comes upon 
> them on a relabel or check?
> I guess we could populate a context file via a grep during policy build.
That sounds a good idea.
I may be misunderstanding, to make sure, I will write flow.

In policy.conf,
type ssh_key_t, file_type, sysadmfile, save_context; 
type gpg_key_t, file_type, sysadmfile, save_context;
..etc are described.
When "make", 
types that have "save_context" is written in somewhere
(like, /etc/selinux/targeted|strict/save_contexts).
And fixfiles is executed with some option(like fixfiles -x)
it reads save_contexts file.
In fixfiles, setfiles will be executed like following,
setfiles file_contexts /  -x ssh_key_t -x gpg_key_t -x ....


---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
　　http://www.selinux.gr.jp/



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: idea: setfiles to exclude specific type

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

On Mon, 2004-11-22 at 10:54 -0500, Yuichi Nakamura wrote:
> Hello.
> 
> I add setfiles "-x" option.
> I attach my idea in "setfiles.diff".
> 
> -x option is used to exclude specified type.
> 
> For example,
> # setfiles file_contexts /home -x httpd_user_rw_t
> setfiles skips relabeling files that have "httpd_user_rw_t".

I thought the conclusion from previous discussion on user-customizable
file contexts was that we were going to add notation to file_contexts
for groups of contexts, so that all of e.g.
system_u:object_r:httpd_sys_content_t,
system_u:object_r:httpd_sys_script_exec_t, 
system_u:object_r:httpd_sys_script_rw_t,
etc. would be acceptable.  

For example:

/var/www(/.*)?			system_u:object_r:httpd_sys_content_t system_u:object_r:httpd_sys_script_rw_t system_u:object_r:httpd_sys_script_exec_t ...



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: idea: setfiles to exclude specific type

[Daniel J Walsh]

Colin Walters wrote:

>On Mon, 2004-11-22 at 10:54 -0500, Yuichi Nakamura wrote:
>  
>
>>Hello.
>>
>>I add setfiles "-x" option.
>>I attach my idea in "setfiles.diff".
>>
>>-x option is used to exclude specified type.
>>
>>For example,
>># setfiles file_contexts /home -x httpd_user_rw_t
>>setfiles skips relabeling files that have "httpd_user_rw_t".
>>    
>>
>
>I thought the conclusion from previous discussion on user-customizable
>file contexts was that we were going to add notation to file_contexts
>for groups of contexts, so that all of e.g.
>system_u:object_r:httpd_sys_content_t,
>system_u:object_r:httpd_sys_script_exec_t, 
>system_u:object_r:httpd_sys_script_rw_t,
>etc. would be acceptable.  
>
>For example:
>
>/var/www(/.*)?			system_u:object_r:httpd_sys_content_t system_u:object_r:httpd_sys_script_rw_t system_u:object_r:httpd_sys_script_exec_t ...
>
>
>  
>
I am not sure that works, and I kind of like the idea of adding a 
attribute to a context to maintain it.

Certain contexts we want to make the admin force a change on, usually 
these are contexts that the user used chcon to create, or mv to make a 
copy of it.    So if a user creates a /var/web account with 
httpd_sys_content_rw_t, we would hammer it, but if we put 
httpd_content_t in a don't change category fixfiles will leave it alone 
by default.  The other main example would be, the user makes a copy of 
his gpg_keys and restorecon/setfiles/fixfiles changes them to 
user_home_t which is readable by other domains.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.